Issues using startTLS with Openldap 2.4.23

[dchrist]

Hello,

I am running the latest version of openldap server 2.4.23. When I try to connect to my ldap server using startTLS I get errors. I am able to connect with out using tls.

Here is the out put from ldapsearch.

[code]
ldapsearch -LL -d1 -v -x -W -D 'cn=Manager,dc=localdomain,dc=com' -H ldap://localhost -ZZ '(cn=*)'
ldap_url_parse_ext(ldap://localhost)
ldap_initialize( ldap://localhost:389/??base )
ldap_create
ldap_url_parse_ext(ldap://localhost:389/??base)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 127.0.0.1:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 31 bytes to sd 3
ldap_result ld 0x24a1320 msgid 1
wait4msg ld 0x24a1320 msgid 1 (infinite timeout)
wait4msg continue ld 0x24a1320 msgid 1 all 1
ld 0x24a1320 Connections:
host: localhost port: 389 (default)
refcnt: 2 status: Connected
last used: Fri Dec 2 23:03:53 2011
ld 0x24a1320 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x24a1320 request count 1 (abandoned 0)
ld 0x24a1320 Response Queue:
Empty
ld 0x24a1320 response count 0
ldap_chkResponseList ld 0x24a1320 msgid 1 all 1
ldap_chkResponseList returns ld 0x24a1320 NULL
ldap_int_select
read1msg: ld 0x24a1320 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
read1msg: ld 0x24a1320 msgid 1 message type extended-result
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x24a1320 0 new referrals
read1msg: mark request completed, ld 0x24a1320 msgid 1
request done: ld 0x24a1320 msgid 1
res_errno: 0, res_error: , res_matched:
ldap_free_request (origid 1, msgid 1)
ldap_parse_extended_result
ber_scanf fmt ({eAA) ber:
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
TLS: file ca-bundle.trust.crt does not end in http://.0 - does not appear to be a CA certificate directory file with a properly hashed file name - skipping.
TLS: file ca-bundle.crt does not end in http://.0 - does not appear to be a CA certificate directory file with a properly hashed file name - skipping.
TLS: file cacert.pem.bakup does not end in http://.0 - does not appear to be a CA certificate directory file with a properly hashed file name - skipping.
TLS: file cacert.pem does not end in http://.0 - does not appear to be a CA certificate directory file with a properly hashed file name - skipping.
TLS: did not find any valid CA certificates in /etc/openldap/cacerts
TLS: could not initialize moznss using security dir /etc/openldap/cacerts prefix - error -8174.
TLS: could perform TLS system initialization.
TLS: error: could not initialize moznss security context - error -5939:No more entries in the directory
TLS: can't create ssl handle.
ldap_err2string
ldap_start_tls: Connect error (-11)
[/code]
I have verified the certs are good using openssl. I've tried using TLS_CACERT in my /etc/openldap/ldap.conf instead of TLS_CACERTDIR, but still have similar issues with not being able to connect. I've seen various post about issues with moznss, but I have yet to see a work around for this issue. Does anyone know how to work around this issue or get TLS working some other way?

[TrevorH]

Use TLS_CACERTDIR and then show the output from `ls -la` of that directory please. If you could wrap that output in [code][/code] tags then that would make it more readable.

[dchrist]

Here is the contents of my /etc/openldap/ldap.conf file:

cat /etc/openldap/ldap.conf
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE dc=example, dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
URI ldap://localhost/
BASE dc=localdomain,dc=com
#TLS_CACERT /etc/openldap/cacerts/cacert.pem
TLS_CACERTDIR /etc/openldap/cacerts
#TLS_REQCERT demand
TLS_REQCERT never


Here is the contents of my /etc/openldap/cacerts directory.



/etc/openldap/cacerts
[root@localhost cacerts]# ls -la
total 1252
drwxr-xr-x 2 ldap ldap 4096 Dec 5 15:10 .
drwxr-xr-x 5 ldap ldap 4096 Dec 2 20:44 ..
-rw-r--r-- 1 root root 571410 Dec 2 20:51 ca-bundle.crt
-rw-r--r-- 1 root root 651043 Dec 2 20:51 ca-bundle.trust.crt
-rw-r--r-- 1 root root 4954 Dec 2 20:49 cacert.pem
-rw-r--r-- 1 root root 4951 Dec 2 20:49 cacert.pem.bakup
-rw-r--r-- 1 root root 29836 Dec 5 15:09 log

[TrevorH]

Right. To get your CA cert recognised it has to exist as a filename that is the same as the hash of it! So if you run

[code]
/etc/pki/tls/misc/c_hash /etc/openldap/cacerts/cacert.pem
[/code]

then it should spit out something like

[quote]
69c9c6c4.0 => /etc/openldap/cacerts/cacert.pem
[/quote]

I find the easiest thing to do is to create a symlink

[code]
cd /etc/openldap/cacerts
ln -s cacert.pem 69c9c6c4.0
[/code]

(substituting your hash for the symlink name of course)

[dchrist]

Thanks for the tip. I tried what you suggested but it still doesn't work. I checked my cacert with openssl and everything appears to be okay.

Openssl Verify:

openssl verify -CAfile /etc/openldap/cacerts/cacert.pem /etc/pki/tls/certs/slapd.pem
/etc/pki/tls/certs/slapd.pem: OK



/etc/openldap/cacerts
[root@localhost cacerts]# ls -la
total 16
drwxr-xr-x 2 ldap ldap 4096 Dec 5 16:21 .
drwxr-xr-x 5 ldap ldap 4096 Dec 2 20:44 ..
lrwxrwxrwx 1 root root 10 Dec 5 16:19 18945410.0 -> cacert.pem
-rw-r--r-- 1 root root 4954 Dec 2 20:49 cacert.pem


# ldapsearch -LL -d1 -v -x -W -D 'cn=Manager,dc=localdomain,dc=com' -H ldap://localhost -ZZ '(cn=*)'
ldap_url_parse_ext(ldap://localhost)
ldap_initialize( ldap://localhost:389/??base )
ldap_create
ldap_url_parse_ext(ldap://localhost:389/??base)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 127.0.0.1:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 31 bytes to sd 3
ldap_result ld 0x15b6320 msgid 1
wait4msg ld 0x15b6320 msgid 1 (infinite timeout)
wait4msg continue ld 0x15b6320 msgid 1 all 1
** ld 0x15b6320 Connections:
* host: localhost port: 389 (default)
refcnt: 2 status: Connected
last used: Mon Dec 5 16:25:18 2011


** ld 0x15b6320 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x15b6320 request count 1 (abandoned 0)
** ld 0x15b6320 Response Queue:
Empty
ld 0x15b6320 response count 0
ldap_chkResponseList ld 0x15b6320 msgid 1 all 1
ldap_chkResponseList returns ld 0x15b6320 NULL
ldap_int_select
read1msg: ld 0x15b6320 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
read1msg: ld 0x15b6320 msgid 1 message type extended-result
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x15b6320 0 new referrals
read1msg: mark request completed, ld 0x15b6320 msgid 1
request done: ld 0x15b6320 msgid 1
res_errno: 0, res_error: , res_matched:
ldap_free_request (origid 1, msgid 1)
ldap_parse_extended_result
ber_scanf fmt ({eAA) ber:
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
TLS: loaded CA certificate file /etc/openldap/cacerts/18945410.0 from CA certificate directory /etc/openldap/cacerts.
TLS: file cacert.pem does not end in [.0] - does not appear to be a CA certificate directory file with a properly hashed file name - skipping.
TLS: error: connect - force handshake failure: errno 0 - moznss error -5938
TLS: can't connect: TLS error -5938:Encountered end of file.
ldap_err2string
ldap_start_tls: Connect error (-11)
additional info: TLS error -5938:Encountered end of file

Anyone have any other ideas?

Thanks,

Duain

[TrevorH]

You got an error there with an error code -5938. Googling that takes me to a redhat bugzilla that talks about making sure that your CA cert really is a CA cert by running

[code]
openssl x509 -in cacert.pem -text
[/code]

You might also find it useful to try connecting to port 636 with an ldaps:// address until you get the certificate error out of the way - I think it may give better error messages that way.

[dchrist]

I verified my cacert with that command. I believe the relevant part is


X509v3 Basic Constraints:
CA:TRUE


I believe my certificates are fine. I think the issue has something to do with the Moznss vs openssl compatibility issue, but other than running a different version of openldap server I don't see a work around to this issue.

[TrevorH]

You are connecting to ldap://localhost but the certificate belongs to the name of the server which is not localhost. Try talking to ldap://the-name.on.the.certificate

[bpowell]

Hi,

I am experiencing the exact same problem, and would be very interested to know if someone has found a solution. I have posted on the OpenLDAP forum here:

http://www.openldap.org/lists/openldap-technical/201202/threads.html#00359

As per the previous suggestion by TrevorH, I am using the CN of the certificate in my ldapsearch bind, as opposed to localhost. This does not make any difference.

Thanks